Conventional countermeasures against cyber attacks have involved entrance countermeasures by antivirus software and the like, but have been unable to prevent infection completely, and thus importance of exit countermeasures preventing expansion of damage after malware infection has been increasing.
By the exit countermeasures, infected terminals are found and the malware infected terminals are disconnected from the network. One method of identifying any malware infected terminal is a method, in which a blacklist related to IP addresses, URLs, and the like of communication destinations that are characteristic of malware is used, and any terminal that performs communication with a destination at an IP address or URL in this blacklist is identified.